FTC sues Wyndham Hotel Corp over repeated security breaches
Executive Summary:
The Federal Trade Commissions (FTC) has sued Wyndham Hotel corporation for repeat hacking into its systems over the past few years. The FTC states that the large hotel chain has failed to appropriately respond to the initial security breach going as far back as 2008 and therefore allowing two more security breaches between 2008 and 2011. As a result of the breach, Russian hackers were able to install phishing software and gain access to over 500,000 customer accounts containing credit card number and other information over the three separate incidents. As a result of the information obtained, the hackers charged about $10.6 million in fraudulent credit card charges.
Analysis:
The issue and cause of the hacks at Wyndham is partially due to “low hanging fruit,” which is basically weak passwords for user accounts on the company’s server. The company should adhere to a policy of changing its system passwords after a period of time. The company failed to properly respond to the initial breach by not hardening up its system. As a large processor of credit card transactions, Wyndham is meant to adhere to rules of PCI-DSS. The biggest issue is failure to encrypt all customer records and credit card information. PCI-DSS calls for all sensitive information to be strongly encrypted and stored on a separate server that can only be accessed with special private keys. This is done to prevent a breach of sensitive information in the event of a hack into the company’s general servers. It’s alarming such a large corporation has failed to properly adhere to the PCI-DSS. This large security issue seems to also be due to a loose security culture within the company. It’s quite apparent there is no incidence response procedure in place and if so, it does not to be regularly tested.
CNN News reports that no penalty exists for first time violators of the FTC’s Consumer Privacy Act and this is Wyndham’s first time being charged with the violation. It’s reported that the FTC is none-the-less seeking a permanent injunction to force Wyndham to implement security measures to better protect customer information.
Executive Summary:
The Federal Trade Commissions (FTC) has sued Wyndham Hotel corporation for repeat hacking into its systems over the past few years. The FTC states that the large hotel chain has failed to appropriately respond to the initial security breach going as far back as 2008 and therefore allowing two more security breaches between 2008 and 2011. As a result of the breach, Russian hackers were able to install phishing software and gain access to over 500,000 customer accounts containing credit card number and other information over the three separate incidents. As a result of the information obtained, the hackers charged about $10.6 million in fraudulent credit card charges.
Analysis:
The issue and cause of the hacks at Wyndham is partially due to “low hanging fruit,” which is basically weak passwords for user accounts on the company’s server. The company should adhere to a policy of changing its system passwords after a period of time. The company failed to properly respond to the initial breach by not hardening up its system. As a large processor of credit card transactions, Wyndham is meant to adhere to rules of PCI-DSS. The biggest issue is failure to encrypt all customer records and credit card information. PCI-DSS calls for all sensitive information to be strongly encrypted and stored on a separate server that can only be accessed with special private keys. This is done to prevent a breach of sensitive information in the event of a hack into the company’s general servers. It’s alarming such a large corporation has failed to properly adhere to the PCI-DSS. This large security issue seems to also be due to a loose security culture within the company. It’s quite apparent there is no incidence response procedure in place and if so, it does not to be regularly tested.
CNN News reports that no penalty exists for first time violators of the FTC’s Consumer Privacy Act and this is Wyndham’s first time being charged with the violation. It’s reported that the FTC is none-the-less seeking a permanent injunction to force Wyndham to implement security measures to better protect customer information.